YunoHost 2.7.2 to 2.7.14 – Multiple Vulnerabilities

The following document describes identified vulnerabilities in Yunohost 2.7.2. to 2.7.14.

Product Description

YunoHost is an application that is used to manage applications hosted on a Linux server. Additionally, it allows the user to manage the entire Linux system, including installed services, firewall rules, and system updates. The application’s official website is yunohost.org. Version 2.7.2 was released on August 22, 2017, and version 2.7.14 was released on June 28, 2018.

Vulnerabilities List

Two vulnerabilities were identified within the YunoHost application:

Two instances of stored cross-site scripting

One instance of HTTP header injection

These vulnerabilities are described in the following sections.

Affected Version

Versions between 2.7.2 and 2.7.14

Solution

TBD

Stored Cross-site Scripting

The YunoHost application is affected by two cross-site scripting (XSS) vulnerabilities that are stored within the user profile. These vulnerabilities allow the execution of a JavaScript payload inside the victim’s browser.

Vulnerability Details

CVE ID: CVE-2018-11348

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 8.8

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Two XSS vulnerabilities are located in the user profile page of the user panel within the YunoHost application. By injecting a JavaScript payload in the vulnerable parameter of the profile page, an attacker can manipulate a user’s session. The weak parameters are givenname or sn.

To demonstrate the attack, the following payload can be used for each parameter:

HTTP Header Injection

The YunoHost application is affected by one HTTP header injection vulnerability. An attacker can exploit this vulnerability by manipulating one of the request parameters and injecting a malicious HTTP header in the response returned by the server This header could be used to set a cookie or overwrite HTTP header used to instruct the client browser to protect client data. Full exploitation requires the attacker to interact with the user and send them the malicious link. By combining the HTTP header injection vulnerability with the XSS vulnerability described above, an attacker could target the browser of the victim using a malicious JavaScript payload and exploit.

Vulnerability Details

CVE ID: CVE-2018-11347

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The authentication page of the YunoHost application is vulnerable to injection. The attack could be performed using the following URL:

1

https://HOST/yunohost/sso/?r=%0aFAKEHTTPEADER:%20BADPARANTER

The vulnerability can be used to force a user to log into an infected account with the XSS described in the previous section. An attacker can send the following request to perform this attack: